CVE-2026-34481 - Vulnerability Details

- Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Description

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.

An attacker can exploit this issue only if both of the following conditions are met:

* The application uses JsonTemplateLayout.
* The application logs a MapMessage containing an attacker-controlled floating-point value.

Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

Published: 2026-04-10

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw causes JsonTemplateLayout to produce JSON that contains NaN, Infinity, or –Infinity values, which are forbidden by the JSON standard. When such logs are emitted, downstream log ingestion or indexing systems may reject the record or crash, effectively corrupting audit data. An attacker can trigger this only by sending an attacker‑controlled MapMessage containing one of those prohibited values, so the vulnerability does not enable code execution but can cause a loss of critical logs or a service interruption.

Affected Systems

Apache Software Foundation’s Log4j JSON Template Layout, with all releases through and including 2.25.3, are affected. The fix is available in 2.25.4.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium‑severity risk. The EPSS score is below 1% and the issue is not listed in the CISA KEV catalog, suggesting a low exploitation probability. However, if the attacker can inject MapMessages into the application, they could exhaust log processing resources or trigger failures that result in denial of service or loss of audit information. The attack vector is likely remote, originating from any application component that accepts user input and logs it via JsonTemplateLayout.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Log4j JSON Template Layout

unaffected

Version	Status	Constraints
`2.14.0`	affected	< 2.25.4
`3.0.0-alpha1`	affected	≤ 3.0.0-beta3

Configuration 1 [-]

OR	cpe:2.3:a:apache:log4j::::::::
	cpe:2.3:a:apache:log4j:3.0.0:alpha1::::::
	cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc1::::::
	cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc2::::::
	cpe:2.3:a:apache:log4j:3.0.0:beta1::::::
	cpe:2.3:a:apache:log4j:3.0.0:beta2::::::
	cpe:2.3:a:apache:log4j:3.0.0:beta3::::::

No data.

Vendor Product Confidence Versions

Apache

Log4j

100%

Version	Status	Scheme	Platform
`[2.14.0,2.25.4)`	affected	semver	—
`[3.0.0-alpha1,3.0.0-beta3]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Log4j JSON Template Layout to version 2.25.4 or later.
Verify that the application’s logging configuration references the updated layout and that no legacy configuration remains.
If an upgrade cannot be applied immediately, sanitize or replace any NaN, Infinity, or –Infinity values in MapMessage payloads before logging, to ensure compliant JSON is produced.
Monitor log processing pipelines for failures or rejected entries that may indicate the issue is still present.
Consult the vendor’s security page regularly for any new advisories related to Log4j.

Generated by OpenCVE AI on April 14, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w35j-pv5h-q9q9	Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00153.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/10/10
https://github.com/apache/logging-log4j2/pull/4080
https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv
https://logging.apache.org/cyclonedx/vdr.xml
https://logging.apache.org/log4j/2.x/manual/json-template-layout.html
https://logging.apache.org/security.html#CVE-2026-34481
https://nvd.nist.gov/vuln/detail/CVE-2026-34481
https://www.cve.org/CVERecord?id=CVE-2026-34481

History

Fri, 24 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:log4j:::::::: cpe:2.3:a:apache:log4j:3.0.0:alpha1:::::: cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc1:::::: cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc2:::::: cpe:2.3:a:apache:log4j:3.0.0:beta1:::::: cpe:2.3:a:apache:log4j:3.0.0:beta2:::::: cpe:2.3:a:apache:log4j:3.0.0:beta3::::::
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

Tue, 14 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-241
References		https://nvd.nist.gov/vuln/detail/CVE-2026-34481 https://www.cve.org/CVERecord?id=CVE-2026-34481
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}` threat_severity `Moderate`

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache log4j
Vendors & Products		Apache log4j

Fri, 10 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 17:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/10/10

Fri, 10 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.
Title		Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout
First Time appeared		Apache Apache log4j Layout Template Json
Weaknesses		CWE-116
CPEs		cpe:2.3:a:apache:log4j_layout_template_json::::::::
Vendors & Products		Apache Apache log4j Layout Template Json
References		https://github.com/apache/logging-log4j2/pull/4080 https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/json-template-layout.html https://logging.apache.org/security.html#CVE-2026-34481
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}`

Subscriptions

Apache Log4j Log4j Layout Template Json

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-04-10T15:43:00.100Z

Updated: 2026-04-10T17:41:38.229Z

Reserved: 2026-03-28T19:23:37.127Z

Link: CVE-2026-34481

Vulnrichment

Updated: 2026-04-10T16:18:20.891Z

NVD

Status : Analyzed

Published: 2026-04-10T16:16:31.663

Modified: 2026-04-24T18:24:14.900

Link: CVE-2026-34481

Redhat

Severity : Moderate

Publid Date: 2026-04-10T15:43:00Z

Links: CVE-2026-34481 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:36:23Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object